CVE-2026-2207
Unknown Unknown - Not Provided
Information Disclosure Vulnerability in WeKan Activity Publication Handler

Publication date: 2026-02-08

Last updated on: 2026-02-11

Assigner: VulDB

Description
A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a manipulation can lead to information disclosure. It is possible to launch the attack remotely. Upgrading to version 8.21 is capable of addressing this issue. This patch is called 91a936e07d2976d4246dfe834281c3aaa87f9503. You should upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-08
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2207
EUVD
EUVD-2026-5822
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wekan_project wekan to 8.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2207 is an information disclosure vulnerability in the Wekan application versions up to 8.20. It occurs due to insufficient authorization filtering in the activity publication logic, specifically in the file server/publications/activities.js within the Activity Publication Handler component.

The vulnerability allows unauthorized users to access activity data linked to boards they should not have permission to view. This happens because the system did not properly check if the requesting user had visibility rights on linked boards before returning activity information.

The security fix involves adding strict visibility checks for boards and linked boards, ensuring only authenticated users with proper access rights can see the activity data. This prevents unauthorized information disclosure by restricting access to activities on boards that are not visible to the user.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive activity information from boards within the Wekan application that you do not have permission to access.

An attacker could remotely exploit this flaw without authentication to view confidential activity data, potentially exposing internal project details, user actions, or other sensitive information managed within Wekan.

While it does not affect data integrity or availability, the confidentiality breach could result in privacy violations, information leakage, and potential competitive or operational risks depending on the nature of the disclosed activities.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves unauthorized access to activity data in Wekan due to insufficient authorization filtering in the activities publication logic. Detection would involve verifying if unauthorized users can access activity data from boards they should not have permission to view.

Since the issue is in the file server/publications/activities.js and relates to visibility checks on boards and linked boards, detection can include reviewing logs or monitoring API calls related to activity publications to identify if users without proper permissions are receiving activity data.

Specific commands are not provided in the available resources. However, general detection steps could include:

  • Reviewing Wekan server logs for unusual access patterns to activity data.
  • Using network monitoring tools to capture and analyze requests to the activities publication endpoint to check if unauthorized data is being returned.
  • Testing access by attempting to query activity data from boards where the user should not have access, to verify if the vulnerability is present.
Mitigation Strategies

The primary and recommended mitigation step is to upgrade Wekan to version 8.21 or later, which includes the patch that fixes this vulnerability.

The patch (commit ID 91a936e07d2976d4246dfe834281c3aaa87f9503) enforces proper user authentication and visibility checks on boards and linked boards, preventing unauthorized access to activity data.

Until the upgrade can be applied, consider restricting access to the affected publication endpoints and monitoring for suspicious activity to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2207. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart